Mailing-List: contact tomcat-user-help@jakarta.apache.org; run by ezmlm
Precedence: bulk
Reply-To: "Tomcat Users List" <tomcat-user@jakarta.apache.org>
Received-SPF: pass (hermes.apache.org: local policy)
Message-ID: <41BF5E83.4080405@temple.edu>
Date: Tue, 14 Dec 2004 13:43:31 -0800
From: Dwayne Ghant <dghant@temple.edu>
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US;
 rv:1.7.1) Gecko/20040707
MIME-Version: 1.0
To: Tomcat Users List <tomcat-user@jakarta.apache.org>
Subject: Re: [newbie] Container Managed Security - preventing direct access
 to .jsp
References: <OCEBJBKGJIBAILNJEGCKIEPGJJAA.rtaylor@mulework.com>
In-Reply-To: <OCEBJBKGJIBAILNJEGCKIEPGJJAA.rtaylor@mulework.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit

Have you tried writing a session bean??? if not 
just write a session bean and import it as a header in
all you *.jsp pages.  The sessions will controll the flow of
the application.

ex:
<%@ include file="Secrity_stuff.jsp" %>

This is common in writing applications.

Robert Taylor wrote:

>Thanks Hassan. I didn't realize that was added to the 2.4 spec.
>Thanks for pointing that out. 
>
>Even so, it would be nice to know how to use CMS to achieve this.
>
>Maybe a better way to form the question would be how do I use
>CMS to protect .jsp pages from direct access and return a user
>friendly page/message when a .jsp page is requested without going through
>the controller?
> 
>
>/robert
>
>  
>
>>-----Original Message-----
>>From: Hassan Schroeder [mailto:hassan@webtuitive.com]
>>Sent: Tuesday, December 14, 2004 2:21 PM
>>To: Tomcat Users List
>>Subject: Re: [newbie] Container Managed Security - preventing direct
>>access to .jsp
>>
>>
>>Robert Taylor wrote:
>>
>>    
>>
>>>Please let me know if this questions is just too obvious
>>>and I'll gladly RTFM...
>>>      
>>>
>>See below :-)
>>
>>    
>>
>>>It just seems like a common idiom to provide a portable mechanism
>>>for protecting direct access to .jsp so as to enforce access through
>>>some controller. I have in the past placed .jsp files "behind" WEB-INF,
>>>but I don't believe that is portable and would like to use CMS to achieve
>>>this.
>>>      
>>>
>>Given that the Java" Servlet Specification Version 2.4, page 70 sez:
>>
>>	A special directory exists within the application hierarchy
>>	named WEB-INF. This directory contains all things related to
>>	the application that aren't in the document root of the
>>	application. The WEB-INF node is not part of the public
>>	document tree of the application. No file contained in the
>>	WEB-INF directory may be served directly to a client by the
>>	container.
>>
>>I don't know how much more "portable" you want it to be :-)
>>
>>HTH!
>>-- 
>>Hassan Schroeder ----------------------------- hassan@webtuitive.com
>>Webtuitive Design ===  (+1) 408-938-0567   === http://webtuitive.com
>>
>>                           dream.  code.
>>
>>
>>
>>---------------------------------------------------------------------
>>To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
>>For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
>>
>>
>>    
>>
>
>---------------------------------------------------------------------
>To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
>For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
>
>  
>


-- 

Dwayne A. Ghant
Application Developer
Temple University
215.204.5555
dghant@temple.edu

 
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org